MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ae03b110ace89c3237aae4dc7028b594fe0f2fb4d9464c992829f6cfadb6b5c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Pony

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	8ae03b110ace89c3237aae4dc7028b594fe0f2fb4d9464c992829f6cfadb6b5c
SHA3-384 hash:	c999b9a1fa9db8201e459676ee6551ab1024b435bfdca9d161117732652dd065ef45be13cdbec4259480e7aefc3b916a
SHA1 hash:	87da3002a3b1b0463676402818804a732397d084
MD5 hash:	3919da5162a89a79bee46dc901fcf2e2
humanhash:	solar-pasta-spring-william
File name:	8AE03B110ACE89C3237AAE4DC7028B594FE0F2FB4D946.exe
Download:	download sample
Signature	Pony Create hunting rule
File size:	695'296 bytes
First seen:	2023-03-12 20:15:23 UTC
Last seen:	2023-03-12 21:34:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	5a0b8def8005b086f77ca60dc9037333 (1 x Pony)
ssdeep	12288:T2/AVuOj6WH9/WhXXFBYG2zjyT9ZDmLkDJ/z6hedNF/3qSZk:TMfOjLWhnFKGKjOF4O68HVqSZk
Threatray	28 similar samples on MalwareBazaar
TLSH	T155E48D22B2A04437D2A72B789C5F93649B35BE302F2995466FEC2C085FF93513A39197
TrID	33.0% (.EXE) Win32 Executable Delphi generic (14182/79/4) 30.5% (.SCR) Windows screen saver (13097/50/3) 10.5% (.EXE) Win32 Executable (generic) (4505/5/1) 6.9% (.MZP) WinArchiver Mountable compressed Archive (3000/1) 4.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	399998ecd4d46c0e (573 x Quakbot, 295 x GCleaner, 137 x ArkeiStealer)
Reporter	abuse_ch
Tags:	exe Pony

abuse_ch

Pony C2:
http://tnaapparels.com/66/panel/gate.php

Intelligence

File Origin

# of uploads :

# of downloads :

256

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

8AE03B110ACE89C3237AAE4DC7028B594FE0F2FB4D946.exe

Verdict:

No threats detected

Analysis date:

2023-03-12 20:17:07 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/1657d412-4064-4607-b733-eb08f306cce4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Pony

Link:

https://www.capesandbox.com/analysis/373821/

Detection(s):

SecuriteInfo.com.Trojan.Delf.Agent.JF.5863.27081.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

Sending a custom TCP request

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/72874/overview

Behaviour

MalwareBazaar

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

keylogger packed

Link:

https://www.filescan.io/uploads/640e330469819068058c520f/reports/07b852b6-8ef9-4be3-aa6b-2d9a40880e97/overview

Verdict:

Malicious

Labled as:

Trojan.Delf.Agent

Link:

https://www.hybrid-analysis.com/sample/8ae03b110ace89c3237aae4dc7028b594fe0f2fb4d9464c992829f6cfadb6b5c

Malware family:

Pony

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/20baa377-df9c-427a-b522-455d7fa53964

Result

Threat name:

Lokibot, Pony

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1192131

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Detected Lokibot Info Stealer

Detected unpacking (changes PE section rights)

Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Pony

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8ae03b110ace89c3237aae4dc7028b594fe0f2fb4d9464c992829f6cfadb6b5c/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2018-04-17 05:31:45 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

29 of 38 (76.32%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=rlqdweikz2e4gi32vzg4oaullfh6b4x3jwkgjsmsqkpwz6w3nnoa._file

Verdict:

malicious

Label(s):

pony

Pony

09ed97814c77c245a232bc489ee40e1c692c6118c92632407d0a1c55a0f4e6eb

Pony

3cb0c07ba97461549847dce3b31dba40a7c2336da15a3c3be6c794e78e335d75

Pony

838a75e33a187235ab198d6d013b440cdce381b0948903a898a3e621ea5f610a

Pony

8c1e96575788d9e375be918b132f8eb67134330d31297e766f94fa218bff9d1e

Pony

ba1957340084a89fb5d8297165784d3726d1accb8c14981cc7c261be15f28e9f

Pony

+ 18 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/230312-y145cahd3w/

Behaviour

Suspicious behavior: GetForegroundWindowSpam

Unpacked files

SH256 hash:

8ae03b110ace89c3237aae4dc7028b594fe0f2fb4d9464c992829f6cfadb6b5c

MD5 hash:

3919da5162a89a79bee46dc901fcf2e2

SHA1 hash:

87da3002a3b1b0463676402818804a732397d084

Link:

https://www.unpac.me/results/3aa04ab0-dbbd-4a28-9af4-49f23b622933/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.16

Link:

https://yomi.yoroi.company/submissions/8ae03b110ace89c3237aae4dc7028b594fe0f2fb4d9464c992829f6cfadb6b5c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/373821/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample